RH415 - ch08s04

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

SectionSection 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Controlling Access with Confined Users

In this exercise, you will configure users as SELinux confined users to limit the mechanisms they may use to access the system and the superuser account.

Outcomes

You should be able to:

Prevent Linux users from switching to a different SELinux confined user.
Control the methods administrators are permitted to use to switch user with SELinux confined users.
Examine the effects of confined SELinux users on sudo, su, ssh, and SUID execution and explore relevant Booleans.

Confirm that the workstation and serverc machines are started.

Log in to workstation as student using student as the password. On workstation, run lab selinux-users setup to verify that the environment is ready. This script also creates the runme test program in /tmp and /home/student.

[student@workstation ~]$ lab selinux-users setup

On serverc, confine all Linux users except root by mapping them to the user_u SELinux user at login.

[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$

Display the SELinux user associated with student.

[student@serverc ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```
Confirm that SELinux is in enforcing mode.
```
[root@serverc ~]# getenforce
Enforcing
```

Retrieve the mapping between the Linux and the SELinux users.

[root@serverc ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

Notice that by default, SELinux maps the Linux users to unconfined_u. Also, changing this mapping has no impact on the root user because it has its own rule.

Change the default mapping to map the Linux users to user_u. The semanage command may take up to a minute to complete.
```
[root@serverc ~]# semanage login -m -s user_u  -r s0  __default__
[root@serverc ~]# 
```

Use the semanage login -l command again to verify your work.

[root@serverc ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

Log out of serverc, then log in again as student.

[root@serverc ~]# logout
[student@serverc ~]$ logout
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$

Use the id -Z command to confirm that SELinux maps student to user_u.
```
[student@serverc ~]$ id -Z
user_u:user_r:user_t:s0
```

Confirm that student cannot use the sudo or su commands anymore. For su, use redhat as the password for the root user.

[student@serverc ~]$ sudo -i
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted
sudo: unable to initialize policy plugin
[student@serverc ~]$ su -
Password: redhat
su: Authentication failure

Set the user_exec_content SELinux Boolean to off to prevent users mapped to user_u from executing programs in /tmp or in their home directories.
1. Verify that for now, student can still execute programs in the /tmp directory on serverc.
```
[student@serverc ~]$ /tmp/runme
Tested
[student@serverc ~]$ ./runme
Tested
```
  The runme program was deployed by the exercise setup script.
2. Because you can no longer use sudo -i to switch from student to root, log out from serverc and log in again as root.
```
[student@serverc ~]$ logout
[student@workstation ~]$ ssh root@serverc
[root@serverc ~]# 
```
3. Set the SELinux user_exec_content Boolean to off. The setsebool command may take up to a minute to complete.
```
[root@serverc ~]# setsebool -P user_exec_content off
[root@serverc ~]# 
```
4. Log out of serverc and log in again as student. No password is required.
```
[root@serverc ~]# logout
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$ 
```
5. Confirm that student can no longer execute programs in /tmp or their home directory.
```
[student@serverc ~]$ /tmp/runme
-bash: /tmp/runme: Permission denied
[student@serverc ~]$ ./runme
-bash: ./runme: Permission denied
```

Create the operator1 Linux user account as follows:

The user is a system administrator and must be able to use the sudo and su commands. Map the user to the sysadm_u SELinux user.
Add the user to the wheel group, to benefit from the existing sudo rule granting permission to run any command as any user.
Set the user's password to redhat.
The operator1 user must be able to log in using ssh. The sysadm_u SELinux user does not allow this by default, but you can meet this requirement by allowing users mapped to sysadm_u to use ssh to log in.

Log out of serverc and log in again as root.

[student@serverc ~]$ logout
[student@workstation ~]$ ssh root@serverc
[root@serverc ~]#

Create the operator1 Linux user account, map it to the sysadm_u SELinux user, and add it to the wheel group. The useradd command may take up to a minute to complete.
```
[root@serverc ~]# useradd -G wheel -Z sysadm_u operator1
[root@serverc ~]# 
```

Confirm that SELinux maps operator1 to sysadm_u.

[root@serverc ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
operator1            sysadm_u             s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

Set the password for operator1 to redhat.

[root@serverc ~]# echo redhat | passwd --stdin operator1
Changing password for user operator1.

Log out of serverc and try to use SSH to log in as operator1 user.

[root@serverc ~]# logout
[student@workstation ~]$ ssh operator1@serverc
Unable to get valid context for operator1
Last login: Mon Jul 23 07:58:37 2018 from workstation.lab.example.com
Connection to serverc closed.
[student@workstation ~]$

By default, SELinux denies access to sysadm_u accounts over SSH.

[student@workstation ~]$ ssh root@serverc
[root@serverc ~]# setsebool -P ssh_sysadm_login on
[root@serverc ~]#

Log out of serverc and log in as operator1. This time the connection succeeds.

[root@serverc ~]# logout
[student@workstation ~]$ ssh operator1@serverc
[operator1@serverc ~]$

To confirm that operator1 can administer the system, use the sudo -i command to switch identity to the root user and restart the httpd service. Use redhat as the password.
```
[operator1@serverc ~]$ sudo -i
[sudo] password for operator1: redhat
[root@serverc ~]# systemctl restart httpd
[root@serverc ~]# systemctl is-active httpd
active
```

Create the developer1 Linux user account for your web developer. developer1 is not a system administrator, but they need to be able to restart the httpd service with sudo.

Create the user account as follows:

Map the developer1 user to the staff_u SELinux user. Remember that if you do not explicitly map the user account, it is mapped to user_u, which does not allow sudo.
Set the user's password to redhat.
Create a new sudo configuration file, /etc/sudoers.d/developers, and add a rule to permit developer1 to run the systemctl restart httpd command as root.

Create the developer1 Linux user account and map it to the staff_u SELinux user. The useradd command may take up to a minute to complete.
```
[root@serverc ~]# useradd -Z staff_u developer1
[root@serverc ~]# 
```

Confirm that SELinux maps developer1 to staff_u.

[root@serverc ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
developer1           staff_u              s0-s0:c0.c1023       *
operator1            sysadm_u             s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

Set the password for developer1 to redhat.

[root@serverc ~]# echo redhat | passwd --stdin developer1
Changing password for user developer1.

Create the /etc/sudoers.d/developers file and add a rule to permit developer1 to run systemctl restart httpd as root.
```
[root@serverc ~]# vim /etc/sudoers.d/developers
developer1  ALL=/bin/systemctl restart httpd
```

Log out of serverc and log in as developer1. No password is required.

[root@serverc ~]# logout
[operator1@serverc ~]$ logout
[student@workstation ~]$ ssh developer1@serverc
[developer1@serverc ~]$

Use the id -Z command to confirm that SELinux maps developer1 to staff_u.
```
[developer1@serverc ~]$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
```
Notice that the current role is staff_r.
Only the sysadm_r role allows the execution of commands using sudo. Confirm that the current role, staff_r, does not allow the user to restart the httpd service using sudo. Use redhat as the password.
```
[developer1@serverc ~]$ sudo systemctl restart httpd
[sudo] password for developer1: redhat
Failed to get D-Bus connection: Operation not permitted
```

To run commands with sudo, developer1 needs to change its current role to sysadm_r. Log out of serverc and log in as root. Use the semanage user -l command to confirm that SELinux allows staff_u users to change role to sysadm_r.

[developer1@serverc ~]$ logout
[student@workstation ~]$ ssh root@serverc
[root@serverc ~]# semanage user -l

              Labeling  MLS/       MLS/
SELinux User  Prefix    MCS Level  MCS Range       SELinux Roles

guest_u       user      s0         s0              guest_r
root          user      s0         s0-s0:c0.c1023  staff_r sysadm_r system_r unconfined_r
staff_u       user      s0         s0-s0:c0.c1023  staff_r sysadm_r system_r unconfined_r
sysadm_u      user      s0         s0-s0:c0.c1023  sysadm_r
system_u      user      s0         s0-s0:c0.c1023  system_r unconfined_r
unconfined_u  user      s0         s0-s0:c0.c1023  system_r unconfined_r
user_u        user      s0         s0              user_r
xguest_u      user      s0         s0              xguest_r

Configure sudo to perform the role change before running the command. Edit the /etc/sudoers.d/developers file and insert the ROLE variable before the command.
```
[root@serverc ~]# vim /etc/sudoers.d/developers
developer1  ALL= ROLE=sysadm_r /bin/systemctl restart httpd
```

Log out of serverc and log in as developer1.

[root@serverc ~]# logout
[student@workstation ~]$ ssh developer1@serverc
[developer1@serverc ~]$

Confirm that developer1 can restart httpd. Use redhat as the password. Log out when done.
```
[developer1@serverc ~]$ sudo /bin/systemctl restart httpd
[sudo] password for developer1: redhat
[developer1@serverc ~]$ logout
[student@workstation ~]$ 
```
The systemctl restart command does not display anything when successful.

Cleanup

On workstation, run the lab selinux-users cleanup script to clean up this exercise.

[student@workstation ~]$ lab selinux-users cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083